f 



Ref 

# 


Hits 


Search Query 


DBs 


Default 
Operator 


Plurals 


Time Stamp 


SI 


1674 


network near session 

! 


US-PGPUB; 

USPAT; 

EPO; 

DERWENT 


OR 


ON 


2004/12/23 16:17 


S2 


3286 


network near event 

1 

i 


US-PGPUB; 

USPAT; 

EPO; 

DERWENT 


OR 


ON 


2004/12/23 16:17 


S3 


1771 


event, near parameter 

i 


US-PGPUB; 

USPAT; 

EPO; 

DERWENT 


OR 


ON 


2004/12/23 16:17 


S4 


47028 


((netyork near message) or 
(message)) near transmit$3 

i 
i 


US-PGPUB; 

USPAT; 

EPO; 

DERWENT 


OR 


ON 


2004/12/23 16:17 


S5 


1489 


network near stream 


US-PGPUB; 

USPAT; 

EPO; 

DERWENT 


OR 


ON 


2004/12/23 16:17 


S6 


92665 


(NAT) 1 or (Network near address 
near translation) 


US-PGPUB; 

USPAT; 

EPO; 

DERWENT 


OR 


ON 


2004/12/23 16:20 


S7 


5275 


network near security 


US-PGPUB; 

USPAT; 

EPO; 

DERWENT 


OR 


ON 


2004/12/23 16:20 


S8 


343 


S6 and S7 


US-PGPUB; 

USPAT; 

EPO; 

DERWENT 


OR 


ON 


2004/12/23 16:21 


S9 


145 


S8 and session and event and 
parameter 


US-PGPUB; 

USPAT; 

EPO; 

DERWENT 


OR 


ON 


2004/12/23 16:27 


S10 


731 


S6 and session and event and 
parameter 


US-PGPUB; 

USPAT; 

EPO; 

DERWENT 


OR 


ON 


2004/12/23 16:27 


Sll 


396 


S6 and session and event and 
parameter and stream 


US-PGPUB; 

USPAT; 

EPO; 

DERWENT 


OR 


ON 


2004/12/23 16:27 


S12 


122 


S6 and SI 


US-PGPUB; 

USPAT; 

EPO; 

DERWENT 


OR 


ON 


2004/12/23 16:28 


S13 


1037 


(709/200). eels. 


US-PGPUB; 

USPAT; 

EPO; 

DERWENT 


OR 


ON 


2004/12/23 16:28 
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S14 


10 


S6 and S13 


US-PGPUB; 

USPAT; 

EPO; 

DERWENT 


OR 


ON 


2004/12/23 16:29 


S15 


7 


S14 and session 


US-PGPUB; 

USPAT; 

EPO; 

DERWENT 


OR 


ON 


2004/12/23 16:29 


S16 


3 


S15 and event 

1 

! 


US-PGPUB; 

USPAT; 

EPO; 

DERWENT 


OR 


ON 


2004/12/23 16:30 


S17 


3 


S16 and parameter 

i 


US-PGPUB; 

USPAT; 

EPO; 

DERWENT 


OR 


ON 


2004/12/23 16:30 


S18 


2 


1 

S17 and stream 

i 


US-PGPUB; 

USPAT; 

bPU; 

DERWENT 


OR 


ON 


2004/12/23 16:30 




/uy 


event near (aggregation or 
correlation) 


Ub-PoPUB; 
USPAT 


OK 


ON 


T^Ail /I T /TO -i A . A C\ 

2004/12/28 14:49 


con 
b2U 


33224 


NAT or (Network adj address adj 
translation) 


1 if n/^ni id. 

US-PGPUB; 
USPAT 


f*n 

OR 


ON 


2004/12/28 14:49 


521 


2326 


intrusion adj detection 


1 if r»/"" , r^i in . 

US-PGPUB; 
USPAT 


OR 


ON 


2004/12/28 14:49 


522 


1761 


event near group$3 


US-PGPUB; 
USPAT 


OR 


ON 


2004/12/28 14:50 


523 


12 


(S19 or 522) and S20 and S21 


US-PGPUB; 
USPAT 


OR 


ON 


2004/12/28 14:52 


52b 


38 


520 near rule 


1 if r»/""»ni 1 0 . 

US-PGPUB; 
USPAT 


OR 


ON 


2004/12/28 14:54 


b2o 


2U4/4 


event near (detect$ or monitor$) 


i 1 c o/t»i 1 0 . 

US-PGPUB; 
USPAT 


f»r» 

OR 


ON 


2004/12/28 14:54 


527 


4 
1 


CTC 

525 and S26 


1 if n/^ni in . 

US-PGPUB; 
USPAT 


OR 


ON 


2004/12/28 14:56 


b2o 


i 
1 


525 and S21 and S19 


l If n/^ni in . 

US-PGPUB; 
USPAT 


OR 


ON 


2004/12/28 14:56 


coo 
529 


3 


525 and 521 and event 


1 1 f n/""» ni in. 

US-PGPUB; 
USPAT 


OR 


ON 


2004/12/28 14:57 


530 


3300 


event near manag$5 


US-PGPUB; 
USPAT 


OR 


ON 


2004/12/28 14:58 


S31 


15 


S30 near security 


US-PGPUB; 
USPAT 


OR 


ON 


2004/12/28 14:59 


S32 


TOf inn 

236290 


S21 or IDS 


US-PGPUB; 
USPAT 


OR 


ON 


2004/12/28 15:00 


S33 


19377 


S32 and S20 


US-PGPUB; 
USPAT 


OR 


ON 


2004/12/28 15:00 




00 


ojj anu ^oiy or ozzj 


1 IC DfDI IP. ■ 

USPAT 


An 

UK 


All 

UN 


2U04/12/2o lb:09 


S36 


1466 


network near session 


US-PGPUB; 
USPAT 


OR 


ON 


2004/12/28 15:09 
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1 



S37 


968 


(S36 or session) and (event or 
S19) and S20 


US-PGPUB; 
USPAT 


OR 


ON 


2004/12/28 15:10 


S38 


73 


(S36) and (event or S19) and 

S20 ; 


US-PGPUB; 
USPAT 


OR 


ON 


2004/12/28 15:20 


S39 


— > 

3 


S38 and S19 

! 


1 if n^"»ni in . 

US-PGPUB; 
USPAT 


OR 


ON 


2004/12/28 15:20 


f a r\ 

S40 


1 


i 

( 6122665 ).pn. 

! 
t 
I 


1 if nf ni in . 

US-PGPUB; 
USPAT 


OR 


ON 


2004/12/28 15:21 


C A i 

S41 


0 


C"vin J n <J e^ft 

540 and S20 

I 


1 if r\s~* n 1 id . 

US-PGPUB; 
USPAT 


OR 


ON 


2004/12/28 15:21 


f A n 

S42 


1 


1 

( 5717879 ).pn. 

i • 


1 if noni in 

US-PGPUB; 
USPAT 


OR 


ON 


2004/12/28 15:21 


S43 


0 


f A _ ' J f n n 

S42 and S20 

i 


1 if nf« ni in 

US-PGPUB; 
USPAT 


OR 


ON 


2004/12/28 15:21 


C A A 

544 


1998 


1 

(709/224). CCLS. 

1 
i 


USPAT; 
USOCR 


OR 


OFF 


2004/12/28 15:35 


C A C 

S45 


1474 


(713/201). CCLS. 


USPAT; 
USOCR 


OR 


OFF 


2004/12/28 15:35 


f A C 

S46 


267 


/ —J 4 C\ / OH OX f f 1 f 

(719/318). CCLS. 


USPAT; 
USOCR 


OR 


OFF 


2004/12/28 15:35 


C A ~1 

S47 


780 


/ ~i r\r\ /o ""1 0 \ ffi r- 

(709/228). CCLS. 


USPAT; 
USOCR 


OR 


OFF 


2004/12/28 15:35 


S48 


753 


(709/202). CCLS. 


USPAT; 
USOCR 


OR 


OFF 


2004/12/28 15:35 


S51 


103 


S44 and S48 


US-PGPUB; 

USPAT; 

EPO; 

DERWENT 


OR 


ON 


2004/12/28 15:37 


S53 


88 


S44 and S45 


US-PGPUB; 

USPAT; 

EPO; 

DERWENT 


OR 


ON 


2004/12/28 15:38 


S54 


3 


S51 and S53 


US-PGPUB; 

USPAT; 

EPO; 

DERWENT 


OR 


ON 


2004/12/28 15:39 


S55 


24 


S48 and S45 


US-PGPUB; 

USPAT; 

EPO; 

DERWENT 


OR 


ON 


2004/12/28 15:41 


S56 


9 


S44 and S47 and S48 


US-PGPUB; 

USPAT; 

EPO; 

DERWENT 


OR 


ON 


2004/12/28 15:43 


S57 


0 


"709.clas" and S45 


US-PGPUB; 

USPAT; 

EPO; 

DERWENT 


OR 


ON 


2004/12/28 15:43 


S58 


16940 


("709").CLAS. 


USPAT; 
USOCR 


OR 


OFF 


2004/12/28 15:43 


S59 


597 


S58 and S45 


US-PGPUB; 
USPAT; 
EPO; JPO; 
DERWENT 


OR 


ON 


2004/12/28 15:44 
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S60 


1 


S59 and S20 and S26 


US-PGPUB; 
USPAT; 
EPO; JPO; 
DERWENT 


OR 


ON 


2004/12/28 15:47 


S61 


28 


S59 and S20 

i 


US-PGPUB; 
USPAT; 
EPO; JPO; 
DERWENT 


OR 


ON 


2004/12/28 15:48 


S62 


30 


S59 and (S20 or S19) 

j 

i 

t 

1 


US-PGPUB; 
USPAT; 
EPO; JPO; 
DERWENT 


OR 


ON 


2004/12/28 15:48 


S63 


0 


S61 rYot S62 

i 

! 

i 


US-PGPUB; 
USPAT; 
EPO; JPO; 
DERWENT 


OR 


ON 


2004/12/28 15:48 


S64 


2 


S62 nbt S20 

i 


US-PGPUB; 
USPAT; 
EPO; JPO; 
DERWENT 


OR 


ON 


2004/12/28 15:48 


S65 


174364 


packet 


US-PGPUB; 

USPAT; 

EPO; 

DERWENT 


OR 


ON 


2004/12/29 10:35 


S66 


5340557 


group3 or associat$5 or correlat4 
or relat$4 


US-PGPUB; 

USPAT; 

EPO; 

DERWENT 


OR 


ON 


2004/12/29 11:11 


S68 


1982671 


transmission or stream or 
message or session 


US-PGPUB; 

USPAT; 

EPO; 

DERWENT 


OR 


ON 


2004/12/29 10:36 


CCD 

boy 


94b 1 


Sod near 566 


US-PGPUB; 
USPAT 


OR 


ON 


2004/12/29 10:37 


S70 


22846 


S65 near S68 


US-PGPUB; 
USPAT 


OR 


ON 


2004/12/29 10:37 


S71 


92744 


(NAT) or (Network near address 
near translation) 


US-PGPUB; 

USPAT; 

EPO; 

DERWENT 


OR 


ON 


2004/12/29 10:38 


S72 


5181 


S69 and S70 


US-PGPUB; 
USPAT; i 
EPO; 

DERWENT 


OR 


ON 


2004/12/29 10:38 


S73 


6 


(S69 or S70) nearS71 


US-PGPUB; 

USPAT; 

EPO; 

DERWENT 


OR 


ON 


2004/12/29 10:38 


S74 


121 


(S69 or S70) same S71 


US-PGPUB; 

USPAT; 

EPO; 

DERWENT 


OR 


ON 


2004/12/29 14:28 


S75 


1742 


synchroniz$6 near S65 


US-PGPUB; 

USPAT; 

EPO; 

DERWENT 


OR 


ON 


2004/12/29 11:12 
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S76 


832 


S75 same S68 


US-PGPUB; 

USPAT; 

EPO; 

DERWENT 


OR 


ON 


2004/12/29 11:12 


S77 


134 


S65 near S71 

i 

i 
i 


US-PGPUB; 

USPAT; 1 

EPO; 

DERWENT 


OR 


ON 


2004/12/29 11:12 


S78 


0 


S76 a 


nd S77 


US-PGPUB; 

USPAT; 

EPO; 

DERWENT 


OR 


ON 


2004/12/29 11:13 


S79 


832 


S75 s 


3me S68 

• 


US-PGPUB; 

USPAT; 

EPO; 

DERWENT 


OR 


ON 


2004/12/29 11:13 


S80 


547 


S79 and S70 


US-PGPUB; 

USPAT; 

EPO; 

DERWENT 


OR 


ON 


2004/12/29 11:13 


S81 


202 


S80 and S69 

i 


US-PGPUB; 

USPAT; 

EPO; 

DERWENT 


OR 


ON 


2004/12/29 11:14 


S82 


3 


S81 and S71 


US-PGPUB; 

USPAT; 

EPO; 

DERWENT 


OR 


ON 


2004/12/29 11:14 


S83 


579 


Turn hear packet 


US-PGPUB; 

USPAT; 

EPO; 

DERWENT 


OR 


ON 


2004/12/29 11:43 


S84 


186 


Turn near protocol 

i 


US-PGPUB; 

USPAT; 

EPO; 

DERWENT 


OR 


ON 


2004/12/29 11:44 


S85 


4 


S83 and S84 


US-PGPUB; 

USPAT; 

EPO; 

DERWENT 


OR 


ON 


2004/12/29 12:00 


S86 


53 


(709/245).ccls. and ("713").clas. 


US-PGPUB; 

USPAT; 

EPO; 

DERWENT 


OR 


ON 


2004/12/30 15:38 


S87 


4 


S86 and (S75 or S69) 


US-PGPUB; 

USPAT; 

EPO; 

DERWENT 


OR 


ON 


2004/12/29 12:16 


S88 


3116 


previous$ near packet 


US-PGPUB; 

USPAT; 

EPO; 

DERWENT 


OR 


ON 


2004/12/29 12:16 


S89 


2827 


compar$ near packet 


US-PGPUB; 

USPAT; 

EPO; 

DERWENT 


OR 


ON 


2004/12/29 12:16 
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S90 


41 


S88 same S89 


US-PGPUB; 

USPAT; 

EPO; 

DERWENT 


OR 


ON 


2004/12/29 12:17 


S97 


1 


((US "6496935" Bl).pn. or (US 
"20040073704" Al).pn.) and 
rule$ 


US-PGPUB; 
USPAT 


OR 


ON 


2004/12/30 16:09 


S98 


92882 


(NAT); or (Network near address 
near translation) 


US-PGPUB; 

USPAT; 

EPO; 

DERWENT 


OR 


ON 


2004/12/30 14:31 


SIO 
5 


1 


(US "20040260763" Al).pn. and 
overlap$ 

t 


US-PGPUB; 
USPAT 


OR 


ON 


2004/12/30 15:22 


SIO 
6 


53 


(709/245).ccls. and ("713").clas. 

1 

i 

! 


US-PGPUB; 

USPAT; 

EPO; 

DERWENT 


OR 


ON 


2004/12/30 15:38 


SIO 
7 


9 


S106 ; and S98 


US-PGPUB; 

USPAT; 

EPO; 

DERWENT 


OR 


ON 


2004/12/30 15:40 


SIO 
8 


788 


(multiple or many or (more near 
one)) : with (NAT or NATs) 


US-PGPUB; 

USPAT; 

EPO; 

DERWENT 


OR 


ON 


2004/12/30 15:40 


Sll 

0 


45 


S108 with (Intranet or (private 
near network)) 


US-PGPUB; 

USPAT; 

EPO; 

DERWENT 


OR 


ON 


2004/12/30 15:42 


Sll 
1 


42 


SI 10 and (events or packet) 


US-PGPUB; 

USPAT; 

EPO; 

DERWENT 


OR 


ON 


2004/12/30 15:46 


Sll 
2 


6723 


(map$ or rule) with overlap$ 

i 


US-PGPUB; 

USPAT; 

EPO; 

DERWENT 


OR 


ON 


2004/12/30 15:46 


Sll 
3 


42 


Sill and S98 


US-PGPUB; 

USPAT; 

EPO; 

DERWENT 


OR 


ON 


2004/12/30 15:47 


Sll 
4 


987 


S112 and S98 


US-PGPUB; 

USPAT; 

EPO; 

DERWENT 


OR 


ON 


2004/12/30 15:47 


Sll 
5 


3 


SI 12 with S98 


US-PGPUB; 

USPAT; 

EPO; 

DERWENT 


OR 


ON 


2004/12/30 15:47 
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Publication year 
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Publication type 

CPP Conference Paper. 
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P Practical. 
Abstract 

We present the design and implementation of a collaborative intrusion detection system (CIDS) for accurate 
and efficient intrusion detection in a distributed system. CIDS employs multiple specialized detectors at the 
different layers - network, kernel and application - and a manager based framework for aggregating the 
alarms from the different detectors to provide a combined alarm for an intrusion. The premise is that a 
carefully designed and configured CIDS can increase the accuracy of detection compared to individual 
detectors, without a substantial degradation in performance. In order to validate the premise, we present the 
design and implementation of a CIDS which employs Snort, Libsafe, and a new kernel level IDS called 
Sysmon. The manager has a graph-based and a Bayesian network based aggregation method for combining 
the alarms to finally come up with a decision about the intrusion. The system is evaluated using a Web-based 
electronic store front application and under three different classes of attacks - buffer overflow, flooding and 
script-based attacks. The results show performance degradations compared to no detection of 3.9% and 6.3% 
under normal workload and a buffer overflow attack respectively. The experiments to evaluate the accuracy of 
the system show that the normal workload generates false alarms for Snort and the elementary detectors 
produce missed alarms. CIDS does not flag the false alarm and reduces the incidence of missed alarms to 1 of 
the 7 cases. CIDS can also be used to measure the propagation time of an intrusion which is useful in 
choosing an appropriate response strategy. (19 refs). 

Descriptors 

belief-networks; Internet; security-of-data. 

Keywords 

collaborative intrusion detection system; distributed system; specialized detectors; graph based aggregation 

method; Bayesian network based aggregation method; Web based electronic store; false alarms; missed 
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Publication year 

2003. 
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Publication type 

J Journal Paper. 
Treatment codes 

P Practical. 
Abstract 

A method for the analysis of an event correlation is introduced based on the characteristics of the two kinds 
of relationships, that is, redundancy relationship and cause and effect relationship. Based on that, an 
architecture designed for event correlation analysis apparatus is presented. Practice shows that event 
correlation can decrease the number of alerts, reduce false alerts and discover high-level attack strategies 
effectively. (2 refs). 
Descriptors 
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2003. 
Language 

EN. 

Publication type 

CPP Conference Paper, J Journal Paper. 
Treatment codes 

P Practical. 
Abstract 

In this paper, we propose a cyber-event fusion, correlation, and situation assessment framework that, when 
instantiated, will allow cyber defenders to better understand the local, regional, and global cyber-situation. 
This framework, with associated metrics, can be used to guide assessment of our existing cyber-defense 
capabilities, and to help evaluate the state of cyber-event correlation research and where we must focus our 
future cyber-event correlation research. The framework, based on the cyber-event gathering activities and 
analysis functions, consists of five operational steps, each of which provides a richer set of contextual 
information to support greater situational understanding. The first three steps are categorically depicted as 
increasingly richer and broader-scoped contexts achieved through correlation activity, while in the final two 
steps, these richer contexts are achieved through analytical activities (situation assessment, and threat analysis 
& prediction). Category 1 Correlation focuses on the detection of suspicious activities and the correlation of 
events from a single cyber-event source. Category 2 Correlation clusters the same or similar events from 
multiple detectors that are located at close proximity and prioritizes them. Finally, the events from different 
time periods and event sources at different location /regions are correlated at Category 3 to recognize the 
relationship among different events. This is the category that focuses on the detection of large-scale and 
coordinated attacks. The situation assessment step (Category 4) focuses on the assessment of cyber asset 
damage and the analysis of the impact on missions. The threat analysis and prediction step (Category 5) 
analyzes attacks based on attack traces and predicts the next steps. Metrics that can distinguish correlation 
and cyber-situation assessment tools for each category are also proposed. (4 refs). 
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open-systems; security-of-data; sensor-fusion. 
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cyber event fusion; situation assessment framework; cyber defenders; cyber defense capabilities; contextual 
information; suspicious activities; attack traces; intrusion detection; data fusion. 
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